SypyBot deleted 4 items, then I set the immunize on
Besides the winbo32 popup that says DOH, I'm getting IE pop-ups that want me to go online, and my desktop wallpaper is coverd with a WARNING! YOU'RE IN DANGER screen. After many warnings it finishes with the phrase "could broke your life", followed by a removal instructions link.
Prevx warnings: (it was shut down for the HJT run, just runed it back on)
Windows explorer is trying to READ, DELETE the protected file/directory C:\R.EXE
I managed to get rid of pruttct.exe, still see mediapass.exe is the processes
Any assistance will be appreciated by me and my neighbor.
Thanks,
D-braves
Here's my HJT log...
Logfile of HijackThis v1.99.1
Scan saved at 7:45:18 PM, on 4/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Prevx Home\PXAgent.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system32\msnavc32.exe
C:\Program Files\Media Pass\MediaPassK.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\win3208181046776.exe
C:\Program Files\Media Pass\MediaPass.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\WINDOWS\SysCheckBop32.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Prevx Home\SAGUI.exe
C:\WINDOWS\System32\stikeng.exe
C:\WINDOWS\System32\cabinet5.exe
C:\WINDOWS\system\irbxes.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\WINDOWS\System32\spiipsec.exe
C:\PROGRA~1\COMMON~1\mmuw\mmuwm.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\COMMON~1\mmuw\mmuwa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Cache\mswinstall.exe
C:\WINDOWS\OIUNDLL.EXE
C:\WINDOWS\SLWSENC.EXE
C:\HJT\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=3c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [csuptfn] c:\windows\system32\csuptfn.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [Media Pass] C:\Program Files\Media Pass\MediaPassK.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [win3208181046776] C:\WINDOWS\win3208181046776.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitevyk32.exe
O4 - HKLM\..\Run: [PrevxHome] C:\Program Files\Prevx Home\SAGUI.exe
O4 - HKLM\..\Run: [q72g3sX] stikeng.exe
O4 - HKLM\..\Run: [782ad9aeb621] C:\WINDOWS\System32\cabinet5.exe
O4 - HKLM\..\Run: [OIUNDLL] C:\WINDOWS\OIUNDLL.EXE
O4 - HKLM\..\Run: [SLWSENC] C:\WINDOWS\SLWSENC.EXE
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [GrpConv] grpconv.exe -o
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [bwtmRibtX] spiipsec.exe
O4 - HKCU\..\Run: [mmuw] C:\PROGRA~1\COMMON~1\mmuw\mmuwm.exe
O4 - HKCU\..\Run: [Aaou] C:\WINDOWS\System32\othb.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {A7F6B995-DD61-4818-9FD7-1BE472C531F2} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.a...83/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.a...,20/mcgdmgr.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Prevx Agent (PrevxAgent) - Prevx Ltd. - C:\Program Files\Prevx Home\PXAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe